[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.

From: Perry E. Metzger
Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Date: Thu, 23 Oct 2014 15:42:23 -0400

On Thu, 23 Oct 2014 20:59:56 +0200 Florian Weimer <address@hidden>
> * Perry E. Metzger:
> > On Thu, 23 Oct 2014 20:43:32 +0200 Florian Weimer
> > <address@hidden>
> >> Keep in mind that TLS 1.0 basically has the same problem as SSL
> >> 3.0, and support for protocols beyond TLS 1.0 is not actually
> >> widespread.
> >
> > Connections to most of the top sites are TLS 1.2 at this point.
> > Google is TLS 1.2. Facebook is TLS 1.2. Amazon is TLS 1.2. Apple
> > is TLS 1.2. I could go on and on.
> Many IMAP servers running on free software still use OpenSSL 1.0.0
> or even OpenSSL 0.9.8, which do not support TLS 1.2.
> Interoperability with those should be our priority, not the
> proprietary services you listed.

Free software has supported TLS 1.2 for a long time. What you're
claiming is that you know of loads of people who have failed to
upgrade their software -- but it is of course easy to upgrade if
you run free software, because nothing prevents you from getting
updated packages. Yes, the OLD versions of the packages don't support
TLS 1.2, but the new packages are readily available.

Anyway, this attitude is why the NSA has such an easy time spying on
the world. "We can't afford to have security, people might get
inconvenienced for the length of time needed to upgrade their

The intelligence agencies thank you for your inadvertent assistance
in assuring that various kinds of downgrade, padding and other attacks
will remain feasible for years to come.

Perry E. Metzger                address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]